Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/9/2019
10:30 AM
Rick Holland
Rick Holland
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Stop Mocking & Start Enabling Emerging Technologies

Mocking new technology isn't productive and can lead to career disadvantage.

As security leaders, do we spend as much time trying to understand our businesses as we do trying to understand the threats we face? It seems that we focus intently on emerging threats, but what about emerging technology?

Successful adoption of emerging technology can lead to a competitive advantage. Yet we CISOs have a history of lambasting emerging technologies — cloud, mobile, machine learning, and now blockchain — discounting the value as "pure hype." This practice of mocking new technology isn't productive and can lead to career disadvantage.

Think about this scenario. A web application that is integral to a major new marketing campaign is about to launch and the security team is asked to assess it at the last minute. Sound familiar? As frustrating as this is, this scenario happens on a larger scale as a matter of course when it comes to emerging technology. Why?

A Digital Disconnect
As companies consider the role of emerging technology in their digital transformation journeys, security teams are often sitting on the sidelines. A lack of engagement with the business is a major contributing factor. Many security leaders still haven't made the time to understand how the company operates, how it generates revenue, and how it plans to continue to grow. Also to blame is the security community's kneejerk response is to bash and discredit emerging technologies. Blockchain is just the latest example. There are legitimate use cases for blockchain; supply chain management is just one.

One of the primary roles of security leaders is to understand and effectively communicate risk. Scoffing when another new technology emerges, prevents us from doing this. Instead, we need to better understand the benefits so that our revenue-generating business partners can safely utilize them.

Brace for Impact
Autonomous vehicles, consumer Internet of Things devices, 5G, 3-D printing, and drones are just a few of the new technologies highlighted at this year's Consumer Electronics Show. They're on the verge of going mainstream now and should already be on your radar if your business can take advantage of them in any way. For some technologies in earlier stages of development, check out Soonish: Ten Emerging Technologies That'll Improve and/or Ruin Everything by Kelly and Zach Weinersmith. Think about the security implications associated with bioprinting or, even further out, brain computer interfaces.

In this "The World Is Flat" global environment, security leaders must understand that emerging technology can lead to first-mover and competitive advantage. How can CISOs prepare for the risks that new technologies can introduce to the organization? Here are five lessons I've learned that can help:

  1. Don't just focus on the adversary; focus on your business. Spend time talking to business leaders to truly understand how your company operates. Review marketing plans, technology road maps, financial reports, forecasts, and business development plans. Build a relationship with a board member to understand longer-term goals and pressures on the business. If you don't understand your business model, you have little chance of building an effective threat model for your program.
  2. Do more "homework" by talking to internal resources. Meet with the CTO and line-of-business CTOs periodically because those teams assess new technologies. If your business has an enterprise architecture team, try to get one of your resources regularly engaged with team members. Those teams are at the forefront of digital transformation initiatives, and security and privacy should be key components of those efforts. Many organizations start their annual planning in late summer, so use budget season to your advantage. Work with business leaders to understand the emerging technology they want to deploy and are including in their upcoming budgets.
  3. Make a concerted effort to track emerging technology. Get on the road and start attending conferences focused on your industry and the new technologies and services that are becoming available to address challenges and create opportunities. Reading what industry analysts have to say about top emerging technologies to watch is a good way to know if you've covered your bases. You should also monitor early adopters in your space by looking at their Securities and Exchange Commission filings, annual reports, and press releases. You can use Google alerts to track them. Of course, if you're learning from your competitors then chances are you're already late to the game — but it's better to know than not.
  4. Start understanding the risks of emerging technology. Actually using a new technology is the best way to see how it may introduce risk to your organization. Get it into one of your labs or talk to the business engineers who already have it in their labs to leverage their knowledge and expertise. If you don't have the skill set, resources, or time, then work with consultancies or security researchers to take advantage of their capabilities so you can get up to speed faster.
  5. Finally, don't believe the hype. Just because #INFOSEC Twitter makes fun of something doesn't mean you should discount it. Don't blindly buy into the negative hype around emerging technology. Ubiquitous vendor marketing also does us no favors as it predisposes us to cynicism. Skepticism is OK, just be objective as you evaluate the emerging technology.

Remember it is our job to understand and communicate the risk of emerging technologies. An approach like Gandalf the Gray screaming "you shall not pass to emerging technology" is not advisable. Your organization, and your career, are better served with something like, "you can pass; however, we need to make sure that you understand the risks associated with taking this path."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).